Bug 12954

Summary: SAMEIP --nodst functionality gone missing
Product: Networking Reporter: Bernhard Schmidt (berni)
Component: Netfilter/IptablesAssignee: networking_netfilter-iptables (networking_netfilter-iptables)
Status: CLOSED CODE_FIX    
Severity: normal CC: alan
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 2.6.25+ Subsystem:
Regression: Yes Bisected commit-id:

Description Bernhard Schmidt 2009-03-27 16:48:04 UTC
This was already briefly discussed on the netfilter mailinglist, but did not spark much response there. However I think this issue is a pretty obvious regression over old kernel versions and might hit quite a few people once the newer kernels get deployed into large NAT setups.

Back in the days of 2.6.18 there was the SAME target which allowed, with the option '--nodst' to SNAT internal hosts to the same address of a whole SNAT range regardless of the destination address.

In cb76c6a597350534d211ba79d92da1f9771f8226 the SAME target was removed from the kernel sources due to being obsolete, since the same functionality was now in nf_nat. Shortly after that a discussion Patrick McHardy proposed a patch to mimic the behaviour of SAME with --nodst in nf_nat by dropping the destination IP from the jhash. The patch was dropped shortly after because it apparently showed some uneven distribution.

The whole thread can be read at http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/23275/focus=27670 .

This thread went dead, I tried to revive it but did not get an answer. We're getting hit by this regression because we are currently NATing some thousand IP addresses (student dorms) to an external /28. It works fine with our old 2.6.18+SAME setup, but tests with 2.6.25+SNAT showed massive issues with connections from the same internal address to different destinations getting NATed to different addresses in the pool. Which breaks, for example, ICQ quite badly.
Comment 1 Andrew Morton 2009-04-07 21:37:19 UTC
(switched to email.  Please respond via emailed reply-to-all, not via the
bugzilla web interface).

"massive issues"!

On Fri, 27 Mar 2009 16:48:06 GMT
bugzilla-daemon@bugzilla.kernel.org wrote:

> http://bugzilla.kernel.org/show_bug.cgi?id=12954
> 
>            Summary: SAMEIP --nodst functionality gone missing
>            Product: Networking
>            Version: 2.5
>     Kernel Version: 2.6.25+
>           Platform: All
>         OS/Version: Linux
>               Tree: Mainline
>             Status: NEW
>           Severity: normal
>           Priority: P1
>          Component: Netfilter/Iptables
>         AssignedTo: networking_netfilter-iptables@kernel-bugs.osdl.org
>         ReportedBy: berni@birkenwald.de
>         Regression: Yes
> 
> 
> This was already briefly discussed on the netfilter mailinglist, but did not
> spark much response there. However I think this issue is a pretty obvious
> regression over old kernel versions and might hit quite a few people once the
> newer kernels get deployed into large NAT setups.
> 
> Back in the days of 2.6.18 there was the SAME target which allowed, with the
> option '--nodst' to SNAT internal hosts to the same address of a whole SNAT
> range regardless of the destination address.
> 
> In cb76c6a597350534d211ba79d92da1f9771f8226 the SAME target was removed from
> the kernel sources due to being obsolete, since the same functionality was
> now
> in nf_nat. Shortly after that a discussion Patrick McHardy proposed a patch
> to
> mimic the behaviour of SAME with --nodst in nf_nat by dropping the
> destination
> IP from the jhash. The patch was dropped shortly after because it apparently
> showed some uneven distribution.
> 
> The whole thread can be read at
>
> http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/23275/focus=27670
> .
> 
> This thread went dead, I tried to revive it but did not get an answer. We're
> getting hit by this regression because we are currently NATing some thousand
> IP
> addresses (student dorms) to an external /28. It works fine with our old
> 2.6.18+SAME setup, but tests with 2.6.25+SNAT showed massive issues with
> connections from the same internal address to different destinations getting
> NATed to different addresses in the pool. Which breaks, for example, ICQ
> quite
> badly.
>
Comment 2 Anonymous Emailer 2009-04-08 08:03:47 UTC
Reply-To: gandalf@mjufs.se

On Tue, 7 Apr 2009, Andrew Morton wrote:

>> Back in the days of 2.6.18 there was the SAME target which allowed, with the
>> option '--nodst' to SNAT internal hosts to the same address of a whole SNAT
>> range regardless of the destination address.
>>
>> In cb76c6a597350534d211ba79d92da1f9771f8226 the SAME target was removed from
>> the kernel sources due to being obsolete, since the same functionality was
>> now
>> in nf_nat. Shortly after that a discussion Patrick McHardy proposed a patch
>> to
>> mimic the behaviour of SAME with --nodst in nf_nat by dropping the
>> destination
>> IP from the jhash. The patch was dropped shortly after because it apparently
>> showed some uneven distribution.
>>
>> The whole thread can be read at
>>
>> http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/23275/focus=27670
>> .
>>
>> This thread went dead, I tried to revive it but did not get an answer. We're
>> getting hit by this regression because we are currently NATing some thousand
>> IP
>> addresses (student dorms) to an external /28. It works fine with our old
>> 2.6.18+SAME setup, but tests with 2.6.25+SNAT showed massive issues with
>> connections from the same internal address to different destinations getting
>> NATed to different addresses in the pool. Which breaks, for example, ICQ
>> quite
>> badly.

Problems like these were the reason why I wrote the SAME target in the 
first place. I NAT'ed a few hundred students behind a small range of 
ipaddresses and with normal SNAT they had extreme problems with ICQ and 
online banking sites which require you to have the same source ip even if 
you move between servers (diffrent destinations) etc.

After I wrote SAME I didn't get a single complaint.

One bonus feature that many students really liked was that they always 
had the same external ipaddress as long as they had the same internal 
ipaddress and the external range of ipaddresses remained the same.

This feature isn't as important as having the same source ip for all 
current sessions when using online banking services etc.

I didn't think anyone was still using SAME... guess I was wrong.

The uneven distribution of the patch in question can't be worse than the 
SAME distributions which, iirc, just does something like:

first_ip_in_snat_range + (client_ip % num_ips_in_snat_range)

And given many clients behind the SNAT the distribution should be quite 
even.


Patrick, how about making the ipaddress selection based on only client 
ipaddress behaviour selectable with an SNAT parameter if the problem with 
the patch is that the distribution can be uneven for a small number of 
clients?

/Martin
Comment 3 Patrick McHardy 2009-04-08 14:56:41 UTC
bugzilla-daemon@bugzilla.kernel.org wrote:
> http://bugzilla.kernel.org/show_bug.cgi?id=12954
> The uneven distribution of the patch in question can't be worse than the 
> SAME distributions which, iirc, just does something like:
> 
> first_ip_in_snat_range + (client_ip % num_ips_in_snat_range)
> 
> And given many clients behind the SNAT the distribution should be quite 
> even.
> 
> 
> Patrick, how about making the ipaddress selection based on only client 
> ipaddress behaviour selectable with an SNAT parameter if the problem with 
> the patch is that the distribution can be uneven for a small number of 
> clients?


Actually I think the results back then were incorrect or it was
just bad luck or something. Ideally we would just enable this
unconditionally I think. I'll do some testing of the distribution
myself during the next days and see how it goes.
Comment 4 Patrick McHardy 2009-04-08 15:32:57 UTC
[Resend to mailing list, I didn't notice this had left bugzilla]

Martin Josefsson wrote:
> Patrick, how about making the ipaddress selection based on only client 
> ipaddress behaviour selectable with an SNAT parameter if the problem 
> with the patch is that the distribution can be uneven for a small number 
> of clients?

Actually I think the results back then were incorrect or it was
just bad luck or something. Ideally we would just enable this
unconditionally I think. I'll do some testing of the distribution
myself during the next days and see how it goes.
Comment 5 Patrick McHardy 2009-04-15 11:53:32 UTC
Patrick McHardy wrote:
> [Resend to mailing list, I didn't notice this had left bugzilla]
> 
> Martin Josefsson wrote:
>> Patrick, how about making the ipaddress selection based on only client 
>> ipaddress behaviour selectable with an SNAT parameter if the problem 
>> with the patch is that the distribution can be uneven for a small 
>> number of clients?
> 
> Actually I think the results back then were incorrect or it was
> just bad luck or something. Ideally we would just enable this
> unconditionally I think. I'll do some testing of the distribution
> myself during the next days and see how it goes.

The distribution did suffer noticably in some cases, so offering
this optionally seems better.

How about this patch? If the IP_NAT_RANGE_PERSISTENT flag is set
on a NAT range, we ignore the destination address in the selection.
Comment 6 Anonymous Emailer 2009-04-15 12:10:56 UTC
Reply-To: jengelh@medozas.de

On Wednesday 2009-04-15 13:53, Patrick McHardy wrote:

> Patrick McHardy wrote:
>> [Resend to mailing list, I didn't notice this had left bugzilla]
>>
>> Martin Josefsson wrote:
>>> Patrick, how about making the ipaddress selection based on only client
>>> ipaddress behaviour selectable with an SNAT parameter if the problem with
>>> the
>>> patch is that the distribution can be uneven for a small number of clients?
>>
>> Actually I think the results back then were incorrect or it was
>> just bad luck or something. Ideally we would just enable this
>> unconditionally I think. I'll do some testing of the distribution
>> myself during the next days and see how it goes.
>
> The distribution did suffer noticably in some cases, so offering
> this optionally seems better.
>
> How about this patch? If the IP_NAT_RANGE_PERSISTENT flag is set
> on a NAT range, we ignore the destination address in the selection.

But where do you set IP_NAT_RANGE_PERSISTENT? (It seems like a dead 
feature right now.)
Comment 7 Patrick McHardy 2009-04-15 12:13:35 UTC
Jan Engelhardt wrote:
> On Wednesday 2009-04-15 13:53, Patrick McHardy wrote:
>   
>> How about this patch? If the IP_NAT_RANGE_PERSISTENT flag is set
>> on a NAT range, we ignore the destination address in the selection.
>>     
>
> But where do you set IP_NAT_RANGE_PERSISTENT? (It seems like a dead 
> feature right now.)
>   

In userspace of course :)
Comment 8 Anonymous Emailer 2009-04-15 12:22:00 UTC
Reply-To: jengelh@medozas.de

On Wednesday 2009-04-15 14:13, Patrick McHardy wrote:
>Jan Engelhardt wrote:
>> On Wednesday 2009-04-15 13:53, Patrick McHardy wrote:
>>   
>>> How about this patch? If the IP_NAT_RANGE_PERSISTENT flag is set
>>> on a NAT range, we ignore the destination address in the selection.
>>
>> But where do you set IP_NAT_RANGE_PERSISTENT? (It seems like a dead 
>> feature right now.)
>
>In userspace of course :)

Ah I hear the crisp sound of an upcoming iptables 1.4.4.
Comment 9 Patrick McHardy 2009-04-15 12:36:03 UTC
Jan Engelhardt wrote:
> On Wednesday 2009-04-15 14:13, Patrick McHardy wrote:
>> Jan Engelhardt wrote:
>>> On Wednesday 2009-04-15 13:53, Patrick McHardy wrote:
>>>   
>>>> How about this patch? If the IP_NAT_RANGE_PERSISTENT flag is set
>>>> on a NAT range, we ignore the destination address in the selection.
>>> But where do you set IP_NAT_RANGE_PERSISTENT? (It seems like a dead 
>>> feature right now.)
>> In userspace of course :)
> 
> Ah I hear the crisp sound of an upcoming iptables 1.4.4.

In a while :)

This is the corresponding userspace patch:
Comment 10 Patrick McHardy 2009-04-17 16:16:15 UTC
Patrick McHardy wrote:
> This is the corresponding userspace patch:
> 

I've just commited the patch to the iptables git tree. The kernel
patch is on its way upstream.